Commit Graph

3195 Commits

Author SHA1 Message Date
Rich Salz
852c2ed260 In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this.  Most of all, ParseC needed to be more
consistent.  The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns.  There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
2020-04-24 16:42:46 +02:00
Rich Salz
1cd2c1f857 Update some nits around the FIPS module
- Changed the generated FIPS signature file to be "fipsmodule.conf"
since it contains information about the FIPS module/file.
- Add -q option to fipsinstall command, to stop chatty verbose status
messages.
- Document env var OPENSSL_CONF_INCLUDE

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)
2020-04-24 13:19:16 +02:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Pauli
7a92e80469 gendsa: remove unnecessary OPENSSL_SUPPRESS_DEPRECATED definition
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11570)
2020-04-21 13:25:23 +10:00
Dr. David von Oheimb
0aa87e8683 Update comment on crls_http_cb() as it does support non-blocking I/O since #10667
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
2020-04-20 11:34:02 +02:00
Dr. David von Oheimb
2b264aee6f Fix descriptions of credentials and verification options for various apps
fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s_time, x509, crl, req, ts, and verify
correcting and extending texts regarding untrusted and trusted certs,
making the order of options in the docs and help texts more consistent,
etc.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
2020-04-20 11:33:53 +02:00
Pauli
09ec5e6f5d dhparam: white space cleaning
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:40 +10:00
Pauli
61b2afb50a apps: undeprecate the conditioned out apps
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
19d9be09d1 openssl: include the version a command was deprecated in the output text.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
f84fe4f448 apps: reinstate deprecated commands but using PKEY APIs
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
7539cb70eb dsaparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
dddbbc6f39 gendsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
8f7e1f68cc genrsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
99a7c3a7bf openssl: include the version a command was deprecated in the output text.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
188dd86ab4 apps: reinstate deprecated commands but using PKEY APIs
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:38 +10:00
Pauli
ccefc3411e dhparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:38 +10:00
Pauli
cd3572a110 dsaparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:36:35 +10:00
Pauli
54affb77c5 rsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:36:35 +10:00
Pauli
b940349de1 dsa: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:36:35 +10:00
Nikolay Morozov
7a41760667 GOST2012 TLS ClientCertificateType Identifiers support
For GOST2012-GOST8912-GOST8912 IANA introduce ClientCertificateType Identifiers
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11558)
2020-04-18 13:32:49 +03:00
张盛豪
031c9bd3f3 apps/speed: fix invalid final report when run SM2 benchmarks in parallel
Fixed #11523
CLA: trivial

Signed-off-by: 张盛豪 <zhangshenghao1995@163.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11557)
2020-04-18 11:47:50 +08:00
Rich Salz
1ae56f2f43 Don't compile commands if disabled
Rather than wrapping whole files in "ifndef OPENSSL_NO_xxx" we handle
the changes in build.info

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11250)
2020-04-10 15:24:02 +02:00
Shane Lontis
f5056577ba Move legacy ciphers into the legacy provider
DES, idea, seed, rc2, rc4, rc5, cast and blowfish have been moved out of the default provider.
Code shared between desx and tdes has been moved into a seperate file (cipher_tdes_common.c).
3 test recipes failed due to using app/openssl calls that used legacy ciphers.
These calls have been updated to supply both the default and legacy providers.
Fixed openssl app '-provider' memory leak

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11419)
2020-04-09 12:47:46 +10:00
Dr. David von Oheimb
afe554c2d2 Chunk 10 of CMP contribution to OpenSSL: CMP http client and related tests
Also improve the generic HTTP client w.r.t. proxy and no_proxy options.

    Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
    Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
    Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
    Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)
2020-04-02 18:17:00 +02:00
Tianjia Zhang
cd81ac7be3 apps: support sendfile in s_server when ktls enabled
When the -WWW or -HTTP option is specified, s_server can choose
to use SSL_sendfile to transmit the file requested by client
with KTLS is enabled, taking full advantage of the performance
advantages of Kernel TLS, and adding the '-sendfile' command
line parameter to control this behavior.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11318)
2020-04-01 19:13:25 +08:00
Tomas Mraz
9e885a707d s_server: Properly indicate ALPN protocol mismatch
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
an alert is sent to the client on ALPN protocol mismatch.

Fixes: #2708

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11415)
2020-03-27 17:24:42 +01:00
Dr. David von Oheimb
7e765f46a6 Chunk 9 of CMP contribution to OpenSSL: CMP client and related tests
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11300)
2020-03-25 14:10:18 +01:00
Richard Könning
402b00d579 Use ctx2 instead ctx.
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11372)
2020-03-24 13:00:04 -07:00
Rich Salz
cab33afb71 Update CA.pl podpage, and script
Merge the NOTES section into the relevant parts of the manpage.
Add the $EXTRA parameter in consistent places (the end) to call
commands.  Document that multiple -extra-XXX might be needed.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11338)
2020-03-23 14:20:21 +03:00
Dr. David von Oheimb
8cc86b81ac Constify various mostly X509-related parameter types in crypto/ and apps/
in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which does not break compatibility

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10504)
2020-03-23 08:30:37 +01:00
Bernd Edlinger
7e06a6758b Fix error handling in x509v3_cache_extensions and related functions
Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10755)
2020-03-21 18:46:36 +01:00
EasySec
9a1c170d63 s_server: warn about NO PSK identity hint in TLSv1.3
There is NO PSK identity hint in TLSv1.3 so output a warning message
when inconsistent PSK / TLS options are mixed.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11322)
2020-03-20 18:07:18 +01:00
Richard Levitte
2292c8e17f APPS: Remove all traces of special SM2 treatment.
SM2 IDs are now passed entirely as '-pkeyopt', '-sigopt' or '-vfyopt'
values, just like any other valid option.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)
2020-03-15 19:42:05 +01:00
Richard Levitte
aba9bca31c APPS: Add ctrl_str()-like functionality for X509 and X509_REQ
This should really be part of libcrypto, but since this looks like
added legacy support, it's preferable to keep it in apps for now.

This allows to build functions that add user given verification
options to X509 and X509_REQ structures.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)
2020-03-15 19:42:05 +01:00
Pauli
ddff37db32 Remove old incorrect DH parameter files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
2020-03-14 15:05:56 +10:00
Dr. David von Oheimb
44387c9000 Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
62dcd2aa17 Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Vladimir Panteleev
8293fb6840 spkac: Check return values of NETSCAPE_SPKI functions
Fixes silently producing an invalid SPKAC with non-RSA keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11224)
2020-03-09 11:51:51 +03:00
Rich Salz
d462b5ff21 Add -section option to 'req' command
This removes "req" as the hardwired section for the req command.
Doing this will let us merge some test configs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11249)
2020-03-07 12:58:02 +03:00
Pauli
6bd4e3f231 cmdline app: add provider commandline options.
Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option to allow the path to providers to be specified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)
2020-03-07 11:46:48 +10:00
Roger Ning
f07f6e400d fix a minor bug of s_client
CLA: trivial

-CAstore's option should be OPT_CASTORE, instead of OPT_CAFILE
correct also -no-CAstore option from OPT_NOCAPATH to OPT_NOCASTORE

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11215)
2020-03-05 19:43:08 +01:00
Dmitry Belyavskiy
71434aed0d Implementation of Russian GOST CMS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)
2020-03-03 16:34:40 +03:00
Richard Levitte
fe909ee4ae Remove apps/progs.c and apps/progs.h
Since they are generated in build time, there's not need to keep them
in the source tree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)
2020-03-02 03:34:30 +01:00
Richard Levitte
a3f1fc2501 Build: Generate apps/progs.c and apps/progs.h in build time
util/progs.pl depends on the build tree (on configdata.pm,
specifically), so it needs to be run from the build tree.  But why
stop there?  We might as well generate apps/progs.c and apps/progs.h
when building.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)
2020-03-02 03:34:30 +01:00
Bastian Germann
d4c3bdb0f1 apps x509: restrict CAkeyform option to OPT_FMT_PDE
CAkeyform may be set to PEM, DER or ENGINE, but the current options
are not using the proper optionformat 'E' (OPT_FMT_PDE) for this.

Set the valtype for CAkeyform to 'E' and use OPT_FMT_PDE when extracting
the option value.

This amends 0ab6fc79a9 ("Fix regression on x509 keyform argument") which
did the same thing for keyform and changed the manpage synopsis entries
for both keyform and CAkeyform but did not change the option section.
Hence, change the option section for both of them.

CLA: trivial

Co-developed-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Torben Hohn <torben.hohn@linutronix.de>
Signed-off-by: Bastian Germann <bage@linutronix.de>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11085)
2020-02-26 17:23:53 +01:00
Pauli
92fee4213b pkey: additional EC related options
Add options to change the parameter encoding and point conversions for EC
public and private keys.  These options are present in the deprecated 'ec'
utility.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)
2020-02-21 22:55:13 +10:00
Pauli
e1dcac2260 apps: distinguish between a parameter error and an unknown parameter.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)
2020-02-21 13:04:25 +01:00
Pauli
2ee0dfa684 Params: add argument to the _from_text calls to indicate if the param exists.
The extra argument is a integer pointer and is optional.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11049)
2020-02-21 13:04:25 +01:00
Pauli
ada66e78ef Deprecate the low level Diffie-Hellman functions.
Use of the low level DH functions has been informally discouraged for a
long time.  We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)
2020-02-20 19:04:57 +10:00
Pauli
c5f8713443 Deprecate the low level RSA functions.
Use of the low level RSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)
2020-02-20 18:58:40 +10:00